Re: Long running backups - OK?

From: Mladen Gogala <gogala.mladen_at_gmail.com>
Date: Sat, 27 Jan 2018 23:36:41 -0500
Message-ID: <a8e56146-5516-63d5-2a6b-cabae95f40c0_at_gmail.com>


Hi David,

Sorry for the incorrect spelling. I did two HIPAA audits and I did 4 SOX audits. I have never done a PCI audit. The point here is that your backup strategy is discussed with the consultants doing the certification, which makes backups important. All I was saying in the initial line of discussion is that backups are important, it's not just RTO and RPO. And the backup strategy was discussed during every audit I've ever gone through. That is the point I was trying to make. Funny thing is that Tim has also done SOX audits, probably some HIPAA audits too. The consulting company that does the most of the SOX and HIPAA audits is DLJ ("Donaldson, Lufkin & Jenrette") and anyone who has ever worked with them, as both Tim and I have, knows how anal about backups they are. Which makes the backups important for the company. Q.E.D.

Regards

On 01/27/2018 11:02 PM, David Hicken wrote:
> I don’t understand how anyone that has gone through 6 audits would still call it HIPPA, and know that HIPAA has nothing to do at all with SOX. My job in my organization is HIPAA compliance and security. I probably understand HIPAA as well as anyone out there. We are audited annually. I have to be certified annually. If I showed the auditors a box of tapes, or unusable disk files, they’d laugh, if they had a sense of humor. My job, my livelihood, everything is in the line. All day. Every day. And it is not for one database, it is for close to 100 databases scattered throughout the country, accessed by hundreds of people in hundreds of hospital.
>
> Strangely enough, in my previous job, I did the same thing with PCI, which does have issues with SOX, but that’s another day.
>
> This conversation, at best is only slightly tangential and completely meaningingless to the OP. It is simply meant to try and stir the pot. Why?
>
> David Hicken
>
> "There is no reality.
> It's only perception."
>
>> On Jan 27, 2018, at 7:55 PM, Andrew Kerber <andrew.kerber_at_gmail.com> wrote:
>>
>> True, it doesn’t specify the form. But backups are typically cheaper to store than paper records. Also, hand in glove with 7 year retention is the requirement to make sure certain records are deleted after 7 years. It’s much easier to mark data for deletion and run a delete or truncate command than it is to go out,locate, and delete paper or film records. Because of that, almost everyone does use backups rather than paper or film.
>>
>> Sent from my iPhone
>>
>>> On Jan 27, 2018, at 12:11 PM, Tim Gorman <tim.evdbt_at_gmail.com> wrote:
>>>
>>> Sorry, but calling BS on that nonsense, simply untrue and utterly ridiculous no matter how you view it.
>>>
>>> Legislation and regulations call for retention of information for review during an audit, not "data backups". The laws cite neither backup nor recovery, just records and documents. Auditors are not interested in zeros and ones.
>>>
>>> Take for example: https://www.sec.gov/rules/final/33-8180.htm
>>>
>>>
>>>
>>>> On 1/27/18 10:50, Mladen Gogala wrote:
>>>> That is not entirely true. Some laws (SOX, HIPPA, PCI, Murphy) mandate 7 years of data backups. They do not mandate the ability to restore. Theoretically, you can have a 7 years old 9i rman backup of your database at the time and that is fine. Nobody mandates that you need to have a 9i instance to restore it to. So, if the regulators, and that's where the Murphy's law comes into play, do an inspection of your IT, you need to show them 7 years of backups. Nobody will ask you if you can actually restore those backups. That is how backups can be important.
>>>>
>>>>
>>>>> On 01/26/2018 02:00 PM, Glenn Travis wrote:
>>>>> Any question about backups should really be converted into a question on restore and recovery, because backups don't matter, restore/recovery from those backups matters.
>>> --
>>> http://www.freelists.org/webpage/oracle-l
>>>
>>>
>> --
>> http://www.freelists.org/webpage/oracle-l
>>
>>
> --
> http://www.freelists.org/webpage/oracle-l
>
>

-- 
Mladen Gogala
Database Consultant
Tel: (347) 321-1217

--
http://www.freelists.org/webpage/oracle-l
Received on Sun Jan 28 2018 - 05:36:41 CET

Original text of this message